Lansing, MI - Attorney General Dana Nessel, along with the attorneys general of 27 states, has entered into a settlement with Sabre Corp. that resolves an investigation into the 2017 data breach of Sabre Hospitality Solutions’ hotel booking system.
The breach exposed the data of about 1.3 million credit cards nationally. The settlement requires a payment of $2.4 million, of which Michigan will receive just over $74,500 and injunctive relief. The number of Michigan consumers affected by the Sabre data breach is unknown.
Sabre Hospitality Solutions, a business segment of Sabre, operates the SynXis Central Reservation system, which facilitates the booking of hotel reservations. SynXis connects business travel coordinators, travel agencies and online travel booking companies on one end to Sabre’s hotel customers on the other. On June 6, 2017, Sabre informed its hotel customers of a data breach that had occurred between August 2016 and March 2017, which the business had disclosed in a 10-Q SEC filing the month before. Notice to consumers was provided by the hotels, resulting in some notices being issued as late as 2018, and some consumers receiving multiple notices stemming from the same breach.
“Consumers should always consider using a credit card when making online purchases rather than a debit card, to make use of an extra level of protection offered by the credit card companies,” Nessel said. “This data breach is another reminder to consumers to always scrutinize credit card statements upon receipt so that you can dispute charges you don’t recognize, cancel the card and order a replacement.”
Attorney General Nessel has taken multiple actions to protect consumers from fraudulent and deceptive business activities and inform them on how they can protect themselves and respond various incidents, such as data breaches. For more information specific to data breaches, view the previously issued consumer alert.
The settlement requires Sabre to take several measures to better protect consumers from potential data breach and to improve notification to consumers if that happens. Sabre is required to:
- Add language in future contracts that specifies the roles and responsibilities of Sabre and its clients in the event of a breach;
- Determine whether its clients have provided notice to consumers, and to provide the attorneys general a list of all the customers that it has notified;
- Implement and maintain a comprehensive information security program, a written incident response and data breach notification plan;
- Implement specific security requirements; and
- Undergo a third-party security assessment.